Apr 18, 2017 - using efficient cryptographic techniques (encryption scheme is left to ... to compute a triplet of Authentication Tickets (used latter in the protocol ...
An Efficient Protocol for UAS Security Olivier Blazy1, Pierre-François Bonnefoi1, Emmanuel Conchon1, Damien Sauveron1,3 Raja Naeem Akram2, Konstantinos Markantonakis2, Keith Mayes2, Serge Chaumette3 1: XLIM (UMR CNRS 7252), MATHIS, Université de Limoges 2: Information Security Group Smart Card Centre, Royal Holloway, University of London 3: LaBRI (UMR CNRS 5800), Université de Bordeaux
18/04/2017
ICNS 2017
1
Roadmap • • • • •
Introduction Contributions Requirements Cryptographic techniques used Protocol • Pre-protocol Setup • UAV processes • Protocol
• Formal Proof & Analysis of Efficiency - Test-bed • Conclusions and Future work 18/04/2017
ICNS 2017
2
Introduction • Unmanned Aerial Systems (UAS)
• Ground Control Station (GCS or GS) • One or several Unmanned Aerial Vehicles (UAV)
• UAVs sense and store data • UAVs send data to GS when communication is possible (UAVs in the range)
18/04/2017
Communication with ground control station
Ground control station
ICNS 2017
GS communication range
3
Introduction • Attacker interests in UAS Ground control station Owner of UAS
Wireless communication
An attacker
Memory and processing units
Focus on a single UAV
18/04/2017
ICNS 2017
Sensors
Interests of the attacker
4
Then, he can perform advanced attacks
Introduction
SPA on DES ciphering
• We consider a strong adversary model with a high attack potential.
• the adversary has capabilities and knowledge to capture a UAV in a functional state
Side-channel attacks
Fault injection attacks
18/04/2017
ICNS 2017
Physical attacks
5
Contributions • An Efficient Protocol for UAS Security
• To ensure confidentiality of sensed data
• using efficient cryptographic techniques (encryption scheme is left to implementer choice) • withstanding an adversary with a high attack potential
• To minimize exchanges between UAVs and GS
• 1 round is required (except in an optional case: 1.5 rounds).
• A Formal Proof of the Proposed Protocol
18/04/2017
ICNS 2017
6
Requirements • Each UAV must have its own cryptographic means (keys)
• In other words, capture and forensic of UAVs should not compromise the security of UAS
• Keys must evolve during the mission to ensure the Perfect Forward and Backward Secrecy properties • Cryptographic means of UAV should be renewed/refreshed from time to time • The C2 links can be used to refresh them
• Collected (sensed) data must be sent to the Ground Station as soon as a connection is possible to avoid potential loss • Assumption: The GS is secure (else the whole network would be corrupted). 18/04/2017
ICNS 2017
7
Cryptographic Techniques Used • Keys stream
• Based on an origin (the first key) • Subsequent keys are generated using a function (and potential parameters to diversify the result) K0
K1
…
Ki
Ki+1
…
Origin
• We use a keyed hash function diversified with ID of UAV
18/04/2017
ICNS 2017
8
Cryptographic Techniques Used • Keys streams are timely updated to prevent attacks (since it is well known that an attacker can find subsequent keys in a stream if he knows only one key K0
K1
…
Ki
Ki+1
…
Stream 1
K0
K1
…
Ki
Ki+1
…
Stream l
K0
K1
…
Ki
Ki+1
…
Stream 0 T=0
time 18/04/2017
ICNS 2017
9
Cryptographic Techniques Used • One–time key: each key is used only once to encrypt data • The key is used:
• to encrypt data • to compute a triplet of Authentication Tickets (used latter in the protocol for C2)
• to generate the subsequent key of the stream
• Then, the key is cleared from memory and it cannot be recovered by anyone
18/04/2017
ICNS 2017
10
Protocol Notations
18/04/2017
ICNS 2017
11
Pre-Protocol Setup • Each UAV is preconfigured with origin of its first keys stream
• The GS is pre-configured with the first keys stream for each UAV of the UAS
18/04/2017
ICNS 2017
12
UAV in Mission – Sensing & encryption Process • Each sensed data block SDj is immediately encrypted and then stored in non-volatile memory of the UAV using the current key, Ki
• SDj is encrypted with any efficient symmetric algorithm using Ki and the result [ SDj || UAVID ]Ki is stored in NVM • UAVID is added to encrypted data to allow the GS to verify the result has meaning when coming from the UAV
• For each above encryption, UAV must also compute and store the triplet of Authentication ticket (H1, H2, H3) • These tickets will be used later to decrypt commands on C2 link.
• The subsequent key Ki+1 is computed and the current one, Ki, is deleted from memory 18/04/2017
ICNS 2017
13
UAV in Mission – Communication Process • When UAV is in communication range of GS, it sends available encrypted data: [ SDj || UAVID ]Ki , …, [SDj+n || UAVID ]Ki+n and keeps them until it receives an authenticated command from GS
• One authenticated command is required by encrypted SD. If UAV does not received the related authenticated command, it will send these encrypted data again and again until it receives it.
• When UAV receives commands from GS, it authenticates them with the computed Authentication ticket (H1, H2, H3): it can then delete from its memory the encrypted data acknowledged along with the triplet related to the ticket used to authenticate the command. • There are 3 types of commands:
• The ACK command is only used by GS to acknowledge receipt of data • The NKS command is to change the key stream to a new one. The new origin is provided along with the command.
• Note to avoid some desynchronization attacks, for this specific command the UAV has to acknowledge it has change of keys stream
• Other commands can be normal C2 commands.
18/04/2017
ICNS 2017
14
UAV to GS Secure Communication Protocol
18/04/2017
ICNS 2017
15
Formal Proof & Analysis of Efficiency • Using security experiments, in the random oracle model, we have proven that the proposed protocol is secure under the security of the chosen encryption scheme. • Most operations used in the protocol are lightweight: xor, hash function, keyed hash function • The only not lightweight operation is the chosen encryption scheme, denoted by [ ], whose choice is left free to implementer.
18/04/2017
ICNS 2017
16
Test-bed for UAS • The UAV is a Parrot AR.Drone2 running Linux
• Encryption scheme chosen is AES • Hash and keyed-hash functions are based on SHA-256
• The Ground Control Station is a desktop computer with a Wi-Fi card. Wi-Fi
UAV
Wi-Fi
Ground Control Station
18/04/2017
ICNS 2017
17
Conclusions and Future work • Our protocol for UAS is efficient and secure against an attacker with a high attack potential. • In addition, it is flexible: implementer can choice the encryption scheme • We plan to extend it to hierarchical UAS
• Several GSs • Network with big UAV acting as cluster head
18/04/2017
ICNS 2017
18
Acknowledgements to • the SFD (Security of Fleets of Drones) project • funded by Region Limousin;
• the TRUSTED (TRUSted TEstbed for Drones) project
• funded by the CNRS INS2I institute through the call 2016 PEPS (“Projet Exploratoire Premier Soutien”) SISC (“Securité Informatique et des Systèmes Cyber-physiques”);
• the SUITED (Suited secUrIty TEstbed for Drones), SUITED2 and UNITED (United NetworkIng TEstbed for Drones), UNITED2 • projects funded by the MIRES (Mathematiques et leurs Interactions, Images et information numérique, Réseaux et Sécurité) CNRS research federation;
• the SUITED-BX and UNITED-BX projects • funded by LaBRI and its MUSe team.
18/04/2017
ICNS 2017
19
Thank You! Any Questions or Suggestions
18/04/2017
ICNS 2017
20
Backup slide for Security Experiment
18/04/2017
ICNS 2017
21
